Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: google drive permissions sync #484

Merged
merged 11 commits into from
Sep 25, 2020
Merged

Conversation

bobheadxi
Copy link
Member

@bobheadxi bobheadxi commented Sep 24, 2020

Pull Request

Description

Give a brief description of your changes:

Enables an optional step to team refresh, enabled by providing GCP_SERVICE_ACCOUNT_CREDENTIALS, to synchronize team folders by sharing each team's configured folder to all emails provided by that team's members.

The current intended use case for this is only for the top-level folders indicated in https://docs.ubclaunchpad.com/handbook/tools/drive - i.e I will be assigning the following folders:

  • all: Projects
  • leads: UBC Launch Pad
  • design: Design
  • strategy: Strategy

As such, no care has been taken for certain edge cases (ie "what if I don't want to unshare with anyone not on a rocket team?") - for this iteration of this feature, I am going to keep it simple.

The goal is to remove one of the last steps that leads have to do from onboarding - see ubclaunchpad/LP-website#175 . It currently requires a refresh - see #490, #495

Testing

If testing this change requires extra setup, please document it here:

Simple unit test provided. Working on a clicky-click test as well.

Update - verified this works!

image

Ticket(s)

Closes #284

(Create a copy of that line for each Github Issue affected,
and replace "Affects" with "Closes" if merging this will close the relevant ticket.)

@bobheadxi bobheadxi requested a review from chuck-sys September 24, 2020 08:15
@bobheadxi bobheadxi requested review from a team as code owners September 24, 2020 08:15
@bobheadxi bobheadxi marked this pull request as draft September 24, 2020 08:15
@bobheadxi bobheadxi force-pushed the drive-permissions-sync branch 4 times, most recently from ea7e807 to b971333 Compare September 24, 2020 09:25
@codecov
Copy link

codecov bot commented Sep 24, 2020

Codecov Report

Merging #484 into master will decrease coverage by 1.17%.
The diff coverage is 63.82%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #484      +/-   ##
==========================================
- Coverage   94.83%   93.66%   -1.18%     
==========================================
  Files          44       45       +1     
  Lines        2403     2495      +92     
  Branches      303      320      +17     
==========================================
+ Hits         2279     2337      +58     
- Misses         80      110      +30     
- Partials       44       48       +4     
Impacted Files Coverage Δ
app/controller/command/commands/team.py 84.17% <27.02%> (-5.89%) ⬇️
interface/gcp.py 85.71% <85.71%> (ø)
app/controller/command/parser.py 96.66% <100.00%> (+0.11%) ⬆️
app/model/team.py 98.50% <100.00%> (+0.06%) ⬆️
config/__init__.py 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5af07ad...62b9e2e. Read the comment docs.

@bobheadxi bobheadxi force-pushed the drive-permissions-sync branch 2 times, most recently from 319d1df to becd800 Compare September 24, 2020 13:17
@bobheadxi bobheadxi marked this pull request as ready for review September 24, 2020 14:59
Copy link
Collaborator

@chuck-sys chuck-sys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a bit more testing.

Comment on lines 673 to 698
def refresh_drive_permissions(self):
"""
Refresh Google Drive permissions based on user role. If no GCP client
is provided, this function is a no-op.
"""

if self.gcp is None:
logging.debug("GCP not enabled, skipping drive permissions")
return

all_teams: List[Team] = self.facade.query(Team)
for t in all_teams:
if len(t.folder) == 0:
continue

emails: List[str] = []
for m in t.members:
if len(m.email) > 0:
emails.append(m.email)

if len(emails) > 0:
logging.info("Synchronizing permissions for "
+ f"{t.github_team_name}'s folder ({t.folder}) "
+ f"to {emails}")
self.gcp.set_drive_permissions(
t.folder, t.github_team_name, emails)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may want to run a more specialized version of this function, specific to the team that called with a --folder, to sync permissions for that team's team members only.

Something similar to what happens when we do /rocket user edit --github and we do an invite for that github user to join our organization.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it's necessary at the moment? Happy to implement this in a follow-up instead :)

app/model/team.py Show resolved Hide resolved
@bobheadxi bobheadxi force-pushed the drive-permissions-sync branch from e5aae9a to a4ac605 Compare September 25, 2020 01:36
@bobheadxi bobheadxi requested a review from chuck-sys September 25, 2020 03:28
Copy link
Collaborator

@chuck-sys chuck-sys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay so here's the thing. /rocket team refresh takes around 20 seconds to execute (last I checked). The more members we have in Launch Pad, the longer it takes, O(n). We'll still need ways for users to receive the permission sharing automatically, whether if it is a user just adding their emails, or a team adding a folder ID into the system.

I am very adamant about not using /rocket team refresh unless we really need to because ... there are lots of side effects that I don't know about, that may be disruptive. For example, today I found out that it would forcefully add a user back into the organization if the user was in ddb but was already out of the org (one possibility would be if the user ID was still in a team in ddb).

Will have to implement this as a follow-up. For now I'm approving this.

Copy link
Collaborator

@chuck-sys chuck-sys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay so here's the thing. /rocket team refresh takes around 20 seconds to execute (last I checked). The more members we have in Launch Pad, the longer it takes, O(n). We'll still need ways for users to receive the permission sharing automatically, whether if it is a user just adding their emails, or a team adding a folder ID into the system.

I am very adamant about not using /rocket team refresh unless we really need to because ... there are lots of side effects that I don't know about, that may be disruptive. For example, today I found out that it would forcefully add a user back into the organization if the user was in ddb but was already out of the org (one possibility would be if the user ID was still in a team in ddb).

Will have to implement this as a follow-up. For now I'm approving this.

@bobheadxi
Copy link
Member Author

@cheukyin699 agreed and noted! I've created #490 to cover that

@bobheadxi bobheadxi merged commit a7cfd72 into master Sep 25, 2020
@bobheadxi bobheadxi deleted the drive-permissions-sync branch September 25, 2020 05:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Google drive permissions management
2 participants